The incident can be reported by email to the Supplier Incident Report (email@example.com). This process is repeated annually, focusing on the vendor`s anniversary date as a Microsoft vendor. Assuming a vendor continues to process the same type of information and perform the same type of work for Microsoft, it can expect to perform the same steps on an annual basis. On the other hand, if a supplier`s work changes, they have the option to update their profile, which can lead to changes in the number of requirements involved in the RMR task and change the need for the independent assessment task. As part of our readiness assessments, we can map your organization`s controls and identify gaps compared to other frameworks outside the DPR (such as SOC, ISO, HITRUST, etc.) so you know exactly what you need to implement to meet additional frameworks. At BARR, we take a «test once, use many» approach to our engagements, so you can work to meet the needs of multiple executives after going through a readiness assessment. Microsoft works with third-party vendors to meet the needs of our customers. These third-party companies are called suppliers. Vendor security and privacy at Microsoft is governed by our Supplier Security and Privacy Assurance (SSPA) program, a set of enterprise-wide requirements for all vendors who work with Microsoft to deliver our online services. While the SSPA program provides full governance and management of our supplier base, individual business units may place additional demands on their suppliers. Wherever you meet the requirements of the Microsoft Supplier Security and Privacy Assurance program, Schellman can help. Talk to an ASPS specialist about your company`s Microsoft vendor requirements today.
For example, Section E of the program deals with data retention. In order to comply with the requirements of this section, a vendor must generally have a data destruction practice in accordance with the terms of its EDTs with Microsoft. An unwritten routine is sufficient for self-certification compliance, but a higher standard of documentation is required for auditing. This additional documentation can be a policy, flowchart, screenshot of a system used to manage data retention/destruction, etc. First, let`s understand the different components and important steps of the process. Each compliance cycle includes (a) an update to the vendor profile, (b) an update by Microsoft of individual ASPS requirements, known as data protection requirements (DPR), (c) an annual self-certification of a vendor`s compliance with the DPR, and, in certain circumstances, (d) an independent assessment, also known as auditing. Even if your organization doesn`t plan to work with Microsoft in the future, a readiness assessment with the DPR framework also has other benefits: you`ll get closer to GDPR requirements. As GDPR compliance becomes a goal for more and more organizations, a DPR readiness assessment can give your organization internal assurance that you are meeting the GDPR requirements you may be subject to. The time it takes to complete a readiness assessment and audit varies from company to company and depends on a variety of factors, including the size of the company, the complexity of the organization, and its current security posture.
If an organization already has a SOC 2 report, the evaluation period is faster. For a new BARR client without a SOC 2 report, it typically takes one month to complete the readiness assessment, two to three months to meet the requirements, and one month for BARR to complete the independent assessment through the DPR. Suppliers are expected to meet all applicable requirements. Your data processing profile determines whether the full DPR is issued or whether a subset of requirements is met. For more information, see the introductory section of the Privacy Requirements. At BARR, we strive to help organizations meet the requirements of the SSPA program and comply with the DPR as easily as possible. For companies planning to work with Microsoft in the future, we recommend that you begin a DPR readiness assessment as soon as possible to give yourself a head start. The sooner your shortcomings are detected, the better. As part of the readiness assessment, we conduct research in your environment, perform walkthroughs, and identify gaps that need to be addressed. Depending on the profile assigned, the list of applications displayed in the DPR task may contain only a subset of the entire program of 53 requests. For example, suppliers who handle sensitive confidential data, but not personal data, only need to confirm that they comply with sections A, E and J.
The other sections mainly concern the processing of personal data and are therefore completely excluded from the task of self-certification. Explore the DPR to understand Microsoft`s requirements for personal and/or sensitive data and learn more about the SSPA program in the Program Guide. The current DPR is available below in several languages, these documents are updated annually in November. We ask that you submit certification that meets PCI requirements. For more information about the purpose of the Payment Card Industry Data Security Standard (PCI DSS) requirement, see PCI DSS Certification Requirement in the SSPA Program Guide on Microsoft.com/procurement. Your SSPA data processing profile contains selections that are considered to pose a higher risk to Microsoft. Please refer to the ASPS Program Guide, which specifies the compliance requirements for different combinations of profiles, so that your company can make an informed decision when defining the profile. Microsoft`s Supplier Security and Privacy Assurance (SSPA) program is designed to provide data handling instructions to Microsoft product providers. Privacy requirements (DPRs) are the requirements that some program members must meet. These requirements include privacy controls such as notification, selection and consent, as well as data retention, and security controls such as access management, vulnerability management, and data loss prevention.
Supplier Security and Privacy Assurance (SSPA) is Microsoft`s enterprise program to provide our suppliers with Microsoft`s data processing instructions in the form of Microsoft`s Supplier Data Protection (DPR) requirements. The SSPA promotes compliance with these requirements through an annual compliance cycle. For new suppliers, work cannot begin until it is completed. When a vendor processes Microsoft personal and/or sensitive data, it works with its business sponsor to enroll in the ASPS program. Providers may also be selected to provide independent assurance by conducting an assessment against the DPR. Third parties must sign a Microsoft Framework Agreement as part of the onboarding process. This agreement governs the relationship between Microsoft and its suppliers and ensures consistent management of supplier relationships. As part of the integration, providers register with the SSPA and must comply with all applicable requirements before they can be approved for data processing categories. Microsoft business units can create commitments with vendors only if the data processing activity for the engagement matches the data processing categories for which the vendor has been approved. The DPR requirements are based on six different categories of data processing for which a supplier may be approved as part of its registration with the SPPA.
These categories are used to identify the risk associated with the services that a vendor provides to Microsoft.